My email-provider's website (http://www.gmx.de) recently started linking to the (German) site http://www.browsersicherheit.info/ which basically claims that due to its capabilities to modify a site's appearance, Adblock Plus (and others) might actually be abused for phising. Here's a quote from that site plus its translation:

Such addons can access all your browser's input and can also forward them to third parties - even your banking password. This can happen on all websites. Security mechanisms such as SSL cannot avoid that.

Ok, they mention other (pretty obviously crapware) addons, but is Adblock Plus really a security threat or do that site's operators simply use the opportunity to try and scare inexperienced users into viewing their ads again?

This boils down to: Don't run any applications you don't trust. If Adblock were evil, it could steal your login data. If any other executable you run were evil it could do so as well.
– CodesInChaosFeb 27 '14 at 13:25

4

Just for humor's sake: Why don't you use Ghostery? ;-)
– TheRookierLearnerFeb 27 '14 at 16:29

18

Can you clarify the question? Are you asking if Addons like Adblock could theoretically be a security risk, or are you asking if Adblock is currently a security risk?
– Mooing DuckFeb 27 '14 at 17:17

13

I wonder how many users started using Adblock Plus after reading all the articles about this? Some entities should really consider the Streisand effect before starting a blackmail campaign.
– ntoskrnlFeb 28 '14 at 15:38

9 Answers
9

It is not. This is a FUD (fear, uncertainty, and doubt) campaign by GMX because they want to display their ads. There is absolutely no security risk from the mentioned ad blockers. They added some crapware to the list to make it look more legitimate.

Of course such campaigns are very unusual, especially from such a big and well known company like GMX. Unfortunately, I have no English source at hand (because it's a German only campaign) but since you speak German you may want to read this article at heise.de.

Update #1: United Internet, the company behind GMX, received a lot of criticism for misleading customers by falsely claiming that there is a security risk on their PC. The Wall Street Journal (German edition) named the warnings displayed on GMX and the site they link to a "scare campaign".

Update #2: GMX now says that they will no longer display the link when you use ad blockers but will still display it if you use crapware that injects adverts, the list at the site http://www.browsersicherheit.info/ has been updated accordingly and now lists only a small collection of crapware. This list is by no means complete so it is not a reliable source when you want to know if your browser has crapware installed. However, United Internet still maintains it's position that they do not want users who visit their sites to use ad blockers and said they will develop other anti-blocking methods in the future (German source).

Who do you trust more? ABP (which is under constant scrutiny and would be steam rolled if it replaced mybank.com with something else) or Some Random German Company? COULD an addon be used for Evil Purposes? Of course... but without proof it's just blind accusations and FUD.
– WernerCDFeb 27 '14 at 14:54

21

@WernerCD GMX is a major email provider, one of the top non-gmail providers. It's not "some random German company". And, of all the countries, a German company is the one you decide to mistrust?
– SuperbestFeb 27 '14 at 19:29

17

@Superbest GMX and other German e-mail providers also run the "E-Mail made in Germany" campaign where they mislead customers into thinking that mails send over their mail servers are safe from surveillance.
– AndalurFeb 27 '14 at 19:33

6

@Superbest Well... if it isn't an American Companies, then it is some other random company. .. ... I jest I jest. But seriously, I would say the same for most companies - and would say the same if Comcast or Google told me to stop using ABP. You have to raise an eyebrow when a company that profits off of advertisements tells you to stop using an ad blocker.
– WernerCDFeb 27 '14 at 19:54

10

It's really kind of dishonest to say that there's no risk. However, the risks are small enough that I do agree that this is nothing more than a FUD campaign.
– josh3736Feb 27 '14 at 20:23

After thinking it over, I have to agree with the other answers in that, despite the fact that it CAN access your data, Adblock is more likely to protect your privacy than invade it. The real risk are malicious ads that prompt you to install software on your computer. Adblock prevents these.

Below is the original, cautionary answer:

Yes, it totally is.

Adblock Plus is a browser extension/add-on developed by an independent developer. Adblock can access the DOM (document object model) on all pages.

The way AdBlock works is that it injects script into your browser, which searches the DOM, and then runs a hide() function on what it determines are ads.

This can be used to steal your password which is even worse than stealing your token.

That Being Said, Is AdBlock itself Dangerous?

It seems to me that AdBlock is not overly dangerous as the developer has identified himself and it is used by millions of people. If it was doing the kind of trickiness as above, someone would have likely noticed and blown the whistle.

But don't think Chrome Extensions are totally safe. All of them can steal any data, as well as other malicious things.

What Else Can It Do?

A Chrome Extension can also perform the following security violations quite trivially...

Route the content of any email or page you read to a third-party source (if this email contains unencrypted login information, you are busted) If you can see it on the screen, so can any Chrome Extension, no questions asked.

Enter information into a field and press the submit button, for example, send an e-mail

If you leave your browser open, and the extension knows how, it can use your email interface (Gmail, Outlook) to send e-mail of its choosing to your contacts. This is trivial.

Change the script associated with any button, if that was originally put in with jQuery. For example, the button that sends your sign-in information to the server can be changed slightly to send that information to both the server and http://mymaliciousserver. This is trivial.

Update

It has been verified through discussion that AdBlock is open source. This should let you trust AdBlock more, but remember it is still capable of doing those things. I've reviewed the source and I can safely say I haven't any idea at all what's going on.

If it's a Chrome Extension, and you allow it to access your data on all pages, then it can do all those things. Almost all Chrome Extensions ask for this permission, and with AdBlocker it's required even to work, if you think about it.
– Code WhispererFeb 27 '14 at 21:09

@TobiasKienzer This is awesome. Excuse me while I fork AdBlock and begin my project of AdTeese, which replaces every add with a sized pin-up of Dita von Teese.
– Code WhispererFeb 28 '14 at 14:22

4

"open-source" means nothing if the source you're looking at is not the same source as the extension uses. I have published the Chrome extension source viewer that allows one to view the real source of an extension (= the one that is going to be used when you install an extension). Of course, you have to trust that the extension does what it promises, i.e. display correct source code instead of some censored one. It all boils down to "only install software from publishers you trust").
– Rob WFeb 28 '14 at 22:01

This really comes down to an issue of trust. It is true that today, the AdBlock extension is safe. We know that it will not steal your data, even though—as the other answers point out—it has the technical ability to do so.

However, Chrome extensions are silently and automatically updated.

Do you trust that the developer of the AdBlock extension will not add malicious code? I personally do – with millions of users, malicious code would be noticed quickly and would undoubtedly be a career killer for the developer.

Even if you do trust the developer, there are still unlikely scenarios that could expose you:

The developer's Chrome Store account could get hacked and the attacker could release a malicious update.

So while it is intellectually dishonest to say, "no, there is no risk," the risk is completely overblown by GMX. Just as I trust Google to give me a browser that does not steal my personal data, I trust the AdBlock developer to give me an extension that does not steal my data.

The risk of the extension being updated with malicious code is small enough that I don't worry about it, and if I did have the slightest concern, it's easy enough to disable the extension.

"Trust Google to give me a browser"... stunned by the fact that the words "Google" and "trust" are used in one sentence.
– Deer HunterFeb 28 '14 at 4:39

Good points indeed - the same applies for Firefox of course
– Tobias KienzlerFeb 28 '14 at 7:06

7

Hahaha - I trust google to provide a browser that does steal my data, but at least I have a reasonable idea of all the things they will do with my data, and I have currently bought into that model and manage that data set accordingly.
– Rory Alsop♦Feb 28 '14 at 9:12

1

Well... the browser itself won't steal your data; of course, the services that come with it are another story. Don't sign the browser into a Google account and uncheck all the boxes in the Privacy settings (or use Incognito), and you won't leak anything to Google. The same applies with Firefox and IE.
– josh3736Feb 28 '14 at 16:32

There have already been cases where developers of chrome extensions have sold their IP to another party who has not had the same ethics, security precautions etc. This is not to say AdBlock is a risk. It just emphasises that when you use an extension, you need to recognise that the situation can change and something you trusted and were confident about may end up evolving into something less trustworthy.
– Tim XDec 11 '14 at 22:43

All software is a security risk, but in this case their claim is misleading.

Just like all advice is potentially bad and and all transactions are potentially fraudulent. "Risk" just means your security isn't guarenteed, with is true in 100% of cases.

But in the case of AdBlock Plus, the software is well-understood and developed by a team that has a track record of protecting the interests of its users. Plus it's open-source, so the source code is available for you to examine yourself for any security issues. So in this case, the risk is minimal; trivial even.

Instead, GMX is using a truism ("software is always risky") to suggest that this software is dangerous, which is misleading at best, and possibly defamatory. It's like a resturaunt owner handing out leaflets saying his competitors could be poisoning their own food. Technically it's true, since you said "could be" instead of "are", but the action is fundamentally dishonest nonetheless.

Just an observation - I tend to promote ad blockers especially for my less savvy friends and associates - precisely because it reduces security threats. How? Because much of the most malicious content on the web comes in the form of a misleading advertisement like "click here to make your pc faster"... These largely disappear with an ad blocker.

If a site said "Please don't use an ad blocker on this site; they help us pay the bills and we promise not sell ad space to any malicious content." I'd feel obliged to turn my ad blocker off on that site.
– WyrmwoodFeb 28 '14 at 19:44

2

Exactly, that's what I do on the entire SE network
– Tobias KienzlerMar 1 '14 at 9:17

I'm not using adblockers, as I know it helps pay the bills on most sites I'm visiting. I would love to have a partial ad-blocker, which would only block ads that are known to be malicious. I'm also fine with obtrusive ads (flash, gif, videos, etc.), that are not malicious, just trying to grab attention, so Adblock Plus's lesser filter is still not okay for me.
– SztupYMar 4 '14 at 20:30

Adblock (as other extensions and, for that matter, browser developers) has the technical ability to get a lot of your data, and you have all the risks commonly associated with running third-party applications - namely, that the vendor can be malicious, and there may be bugs in their software that break your security.

That being said, I'd consider AdBlock as a defence against phishing. A lot of questionable software gets pushed to users through ads masquerading as something else - i.e., a site offers some item that a user wants, but has an ad that looks like a download button, and delivers some adware/malware product instead of the actual content on site, and such 'accidentally' downloaded malware is a serious security risk. Similarly, there have been incidents of mass consumer attacks by running an ad banner containing a zeroday exploit, which would cause the exploit to appear on respected, well trusted sites.

For company-wide security practices, it may make sense to require AdBlock and install it by default on every workstation - since it is especially useful to protect the inexperienced users who wouldn't install it themselves. This would cause a risk by trusting one more software product, but would be a net positive for everyday security.

interesting point, though for company-wide use I'd consider using a local fork that gets updated only after a sufficiently thorough review of the changes made
– Tobias KienzlerFeb 28 '14 at 9:12

1

Yes, a trusted&verified fixed version is great - again, that's just treating adblock risks exactly as you should treat any other commonly installed software and it's upgrades.
– PeterisFeb 28 '14 at 12:38

The way this information is spread by United Internet is misleading (I am trying hard to avoid saying "libel"). The allegation as it stands is clearly wrong by all objective means, and the presentation is defamatory.

Of course, in principle, one has to admit that Adblock (Plus) is of course a potential security risk. Whether this risk warrants a reasonable concern is another thing.

Adblock (Plus) might be a security risk for three reasons:

It is software that runs on your computer, which could, like all software, in principle do almost anything. Including showing false information or stealing your data.

It does modify web page contents, that is what blocking ads is about. Certainly, a software which is well-known to modify the contents of web pages could modify the contents in a malicious way and go unnoticed much easier than another software.

It performs this task by matching a downloadable list of regular expressions from a range of (uncontrolled/unknown) third parties, such as EasyList

So, if you are in ultra-paranoia mode, you might fear that either someone at EasyList (or another filter list provider) modifies the filter list so they do something malicious, or a hacker hijacks the site. Your Adblock Plus addon would presumably download the malicious list during its daily/weekly update without knowing and without a means of verification (there is a checksum that can be embedded, but this only protects from accidential corruption, not malicious modification).
As a result, such a malicious block list could in theory cause the addon to do "evil things".

Luckily, apart from JS exploits, there is not too much harm that could realistically be done via this attack vector due to the way Adblock works (it will match an arbitrary regex, but it won't do arbitrary susbstitutions, so hiding some elements it shouldn't hide or letting some ads through is pretty much the worst possible case).
On the other hand, a JS exploit could be used against you without Adblock Plus running in the first place.

Also, obviously, like any third party software (including Firefox or Chrome itself!) the Adblock Plus addon itself could steal your data. All you can say at the present time is that so far this has not happened.
Then again, almost all of the big commercial players in the business are doing untrustworthy things on a daily base, which nobody objects against.

Now you have to ask yourself how likely it is that Adblock Plus will indeed steal user data, and how likely it is that such a thing would go undetected for longer than a day or two on a widely-deployed open-source project.

Frankly, if you believe that this is a serious and realistic threat which is likely to affect you, then you must also believe that the Microsoft in collaboration with the NSA already builds identity theft functionality right into Windows and that every computer has a secret "kill switch" which the US DoD can activate at will (that too, is in principle possible, and it's actually more likely to be true than the author of Adblock stealing your savings).

You should not trust GMX either in this case, since they will (note the wording, will, not may) share all your personal data and traffic information in a malicious and unethical way with other parties (at least with US agencies, due to Schröder's 2001 treaty, but you have no way of telling with whom else).
You also shouldn't trust 1&1 (another member of United Internet) because they will share your personal data with who-knows-whom (being an US based company). Nor Google, nor the other half of the internet for that matter.

On the other hand, Adblock Plus has demonstrably prevented malware from being installed on users' computers in the past.

The other answers forget to mention the issue aside from trust: That adblock is modifying pages you visit. This and having to trust more developers is why I have never used ad blocking software/browser plugins, and strongly recommend against it.

It is well known that websites depend on all kinds of fragile invariants for security. For example, just look at the ways clickjacking has been addressed in the past. There is nothing stopping adblock from mistakenly violating an invariant that the site depends on for security.

Also adblock and other ad blocking software decrease anonymity. An adversary can either make you run code to browse the DOM tree and look for missing parts / alterations, or passively observe that you aren't making certain requests to fetch ad-related content (some of which may be hosted on the site itself, making it a possible adversary).

Something no-one has mentioned here is that Adblock plus along almost all other browsers and extensions can be updated remotely. This means there must be a backdoor in the program even if it is locked down to specific "trustworthy" update URLs. This could be interpreted as spyware, but spyware is a somewhat abstract term.

It's true that most people have said it is not safe as it has permissions to read and send data although it's widely accepted that Adblock plus in particular is not malicious. Despite for the most part being open source (Adblock included) browser software and extensions are only as secure as the update URLs for which there is no way of knowing how secure they actually are as the code for these services is remote and therefore not accessible.

Obviously no software or server can be 100% secure due to entropy and having users, but to obtain the highest possible security you should study the source code, always build from source and disable automatic updating. Like with all software, browsers and extensions are only as secure as the user makes them.

"Something no-one has mentioned here is that Adblock plus along almost all other browsers and extensions can be updated remotely." Read again; this has been mentioned.
– LucMay 17 '14 at 10:02

Oh sorry, my mistake. I assumed so since your post is more towards the bottom than the one that originally mentioned it (oftentimes posts are very roughly in chronological order), but of course I should have checked. I stand corrected :)
– LucMay 17 '14 at 23:31

Thank you for your interest in this question.
Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).